Fun with ESX: Learning about Bridge in Linux using VMs

Linux kernel has an inbuilt support for providing switching capability. In this post, I am going to define a simple a simple network to setup and then create the same using Linux VMs on ESX host.

Problem definition:-
Create a basic bridge(switch) and allow communication between the two VMs connected to that switch/bridge. In this, the switch will be created on a VM. Below mentioned diagram lists the network setup details:-

Requirements:-
Since we are using ESX host as the hypervisor, we need an ESX host to run the virtual machines, and 3 linux virtual machines on it. 

Machine(Bridge VM) which will act as bridge:-
This VM needs to have 2 vnics.

Rest 2 Traffic VMs(VM1 and VM2):- 

These VMs need to have atleast one vnic.

Setup Part:-
 Create 3 VMs on the ESX host. Below is the snapshot from my setup:-

Next install bridge-utils on the bridge-vm(Switch_Test VM as per my setup). These bridge-utils provide the functionality to create/delete/modify the virtual switches on the linux host.

 root@switch-test# apt-get install bridge-utils  

Now make sure that no ip-address is assigned to the two nics of switch-vm. Instead provide the following config in "/etc/network/interfaces" file(my linux OS is ubuntu).

 # The loopback network interface  
 auto lo  
 idace lo inet loopback  
   
 auto eth0  
 iface eth0 inet manual  
   
 auto eth1  
 iface eth1 inet manual  

Once this is done, you need to create your first switch. You can create that using the following commands:-

 root@switch-test# brctl addbr br0  

For more details, see the manpage of brctl.

Now you need to add the two nics of switch-vm to the bridge.

 root@switch-test# brctl addif br0 eth0  
 root@switch-test# brctl addif br0 eth1  

Now you need to zero-ip the interfaces added.

 root@switch-test# ifconfig eth0 0.0.0.0  
 root@switch-test# ifconfig eth1 0.0.0.0  

Once added, you need to bring up the br0.

 root@switch-test# ip link br0 up

 OR

 root@switch-test# ifconfig br0 up

Once done, your bridge is ready. You just need to plug the machines as mentioned in the setup diagram(problem statement diagram).

Main challenge here is to have the TrafficVM's connected to the individual nic of switch and making sure they cannot talk with each other directly. To do this, I have created 2 port-groups, each having separate VLAN and then applied them to the VM's vnics. Mentioned below is the pic of vswitch network on ESX host.

Simplifying the above network connectivity diagram, I have a network setup as depicted in the diagram below:-

Make sure that both the port-groups created are in promiscous mode, otherwise packets will not reach to the interfaces of switch-vm.

Now assign IP addresses to VM1 and VM2 such that they both are in the same subnet. Send a ping from VM1 to VM2. You will be able to communicate from VM1 to VM2 and vice-versa via switch running inside switch-vm.

Fixing Cisco's VPN Client Error on Windows 8

Today, working on my Windows 8 machine, I found that Cisco's VPN client was giving me "Error:442" and was unable to connect to VPN. After trying a lot and searching on web, I found the solution to the problem. Here are the steps mentioned below to get it working.

Step 1:-
Goto Run by pressing "Windows + R" and type "regedit". It will open the registry editor.

Step 2:-
Navigate to the following key: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CVirtA"

Step 3:-
Here you will find that "DisplayName" key has some garbage value followed by VPN client name. You need to modify it.

Select the DisplayName to modify, and remove the leading characters from the value data upto "%;" i.e.

• For x86, change the value data from something like "@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to "Cisco Systems VPN Adapter”

• For x64, change the value data from something like "@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to "Cisco Systems VPN Adapter for 64-bit Windows"  Once this is done, you will be able to connect to VPN using VPN Client.

Other Errors which might also lead to Error 442:-
If you have enabled "Internet Connection Sharing", even then you will find this error. For this, you need to open "services.msc", navigate to "Internet Connection Sharing" and disable it.

Playing with ESX: Setting up NAT in Linux (Basic Setup)

This post is about how to setup NATing in a Linux environment. If you have one central Gateway or Public IP and want all the internal machines to communicate to the outside world using Gateway's IP or the public IP, you need to setup a NAT for the same. Below mentioned steps will tell you how to configure the same.

Requirements:-
1. Gateway should have 2 nics, one to access internal network and other to access public network.
2. Internal machines should be connected via switch/hub to private nic of Gateway/Machine A.

In the setup mentioned below, I am using 2 VMs, config of each VM is as shown below:-

Config of Gateway:-
2 nics attached to VM.
First nic attached port-group "VM Network" which can access the public network.
Second nic added port-group "TMP" which allows only VLAN 85 traffic. Hence its a private network.

Config of internal VM:-
Internal VM is having only 1 nic. This nic is assigned a port-group TMP such that its a part of private network and can access nic1 of Gateway VM.

Network setup for the above is as follows(Note that Gateway VM is named as RST1 and internal VM is named as RST2):-

Assign IP address to Nic1 on the Gateway machine which is a part of the private network.

 # This file describes the network interfaces available on your system  
 # and how to activate them. For more information, see interfaces(5).  
   
 # The loopback network interface  
 auto lo  
 iface lo inet loopback  
   
 # The primary network interface  
 auto eth0  
 iface eth0 inet dhcp  
   
 auto eth1  
 iface eth1 inet static  
 address 10.3.1.1  
 netmask 255.255.255.0   

To enable routing functionality on Linux, one needs to enable IP forwarding. You can do the same by entering the following command:-

 # echo “1″ > /proc/sys/net/ipv4/ip_forward  

To make the changes persistent across reboots, just add the following line in "/etc/sysctl.conf". Open this file in your favourite editor and add the following line:-

 net.ipv4.ip_forward = 1  

Reboot your machine.

Now you need to add Gateway functionality to this VM. For this, you need to add IPTable rules such that traffic coming on nic1 is sent out through nic 0. You can enter the following commands on the Linux terminal:-

 /sbin/iptables -P FORWARD ACCEPT  
 /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE  

You can also add the above two lines at the bottom of "/etc/rc.local" file so that changes are present even after reboot. Now your basic NAT gateway is up and running.

To test the functionality of the Gateway, just provide the gateway address as the address of eth1 of Gateway and you will be able to connect to the outside world using Gateway. Below mentioned is the "/etc/network/interfaces" file of inside VM.

 # This file describes the network interfaces available on your system  
 # and how to activate them. For more information, see interfaces(5).  
   
 # The loopback network interface  
 auto lo  
 iface lo inet loopback  
   
 # The primary network interface  
 auto eth0  
 iface eth0 inet static  
 address 10.3.1.2  
 netmask 255.255.255.0  
 gateway 10.3.1.1  
   

Now if you will try to ping to outside world using this internal VM, you would be able to do so using the gateway.

Somethings you can try:-
Try configuring the Gateway such that you can SSH to the VMs behind the Gateway. You need to enable Port-Forwarding for the same. Happy configuring. :)

Last but not the least, I would like to thank my special friend for coming up with the idea to learn together and do this setup. Hopefully we both would do a lot more funny experiments in future. Thanks again to that friend. :)